Sunday, 29 March 2015

The
awful events of last week have generated a considerable amount of comment about
the extent to which an employer is, to ought to be, aware of the mental health of key employees.

Does
data protection legislation prevent the disclosure of critical information which, if
withheld from an employer, permit the employee to carry out acts that
potentially have heinous consequences?

In
the UK, certainly not. Data controllers can always protect the vital interests
of other people in cases where it would be unreasonable to expect the data
subject to consent to the disclosure of sensitive personal data, or when the
consent of a data subject has been unreasonably withheld.

The
debate ought to focus less on any perceived failings of data protection
legislation and more on the obligations of confidence that doctors (and others)
have with those who are being counseled.

This
is why I’m looking forward to contributions to this debate from members of BMA’s
Medical Ethics Committee. The Committee debates
ethical issues on the relationship between the medical profession, the public
and the state. It also liaises with the General Medical Council on all matters
of ethics affecting medical practice. Other members of the BMA's secretariat produce detailed guidance and
discussion papers on a wide range of medico-ethical issues, and offers individual
ethical advice to BMA members over the phone or by email.

The BMA's confidentiality and disclosure health information tool kit is a great start to those who are
keen to understand the current guidelines. On the issue of disclosing medial
data in the public interest, for example, it says: “Health professionals should be aware
that they risk criticism, and even legal liability, if they fail to take action
to avoid serious harm. Advisory bodies, such as the BMA, cannot tell health
professionals whether or not to disclose information in a particular case, but
can provide general guidance about the categories of cases in which decisions
to disclose may be justifiable (see below). Guidance should be sought from
their Caldicott guardian, professional body or defence body where there is any
doubt as to whether disclosure should take place in the public interest.”

I’m looking forward to more specific
guidance from the BMA, in light of recent events. Many patients are unlikely to
be fully forthcoming to medical professionals if they feel that the effect of
their most candid confessions would be to curtail the careers they have fought
so hard to forge.

Somehow, the BMA is going to have to
reassure the public that the confidentiality obligations which currently exist
between doctor and patent and are sufficiently strong to encourage patients to
continue to open their souls to their doctors. At the same time, doctors may
well need additional assurance that they will not be held legally liable when it
is necessary to disclose information that really ought to be made more widely
available.

Friday, 20 March 2015

Fears
about the complexity of the final version of the text, together with concerns
about the impact of ridiculously high fines on businesses that transgress are
rippling through the DP job market.

Today,
if you know where to look (in London), you can apply for a part-time privacy
officer role for an annual (pro-rated) salary of £70,000 – or if you fancy a
full-time job, one organisation is currently prepared to pay
up to £150,000 for the right candidate.

Lets
put that in context. £150,000 is more than the Prime Minister’s salary. And, yes, more than the Information Commissioner’s salary. Even £70,000 is much,
much, more than the salaries of the overwhelming majority of the staff at
the ICO.

I’m
really not sure if it was intended by the drafters of the upcoming GDPR that
the salaries of those who were expected to implement it were likely to be so
much greater than the salaries of those who were expected to regulate it.

But
that is the consequence of what is happening.

And
the more complicated this thing gets, and the more noise that is generated
about the new “rights” that citizens are going to have with regard to their own
personal data, the more the DPO salaries are likely to rise.

Responsible
controllers – and certainly those in the heavily regulated sectors – will
continue to suck up the brightest talent, and will be obliged to offer salaries
that, thanks to the current scarcity of experienced data protection
practitioners, will compare very favourably with other trades.

Is
this really what we want?

As
a consultant or an employee, probably yes.

As
a business owner, probably not.

As
a regulator – well, at least it ensures that the ICO will continue to act as a
training academy for those that want to hone their data protection skills
before they transfer to the private sector.

Note:Experienced
DPOs interested in changing jobs may want to contact me (very discretely) to learn more about the roles I’ve referred to in this blog.

Monday, 16 March 2015

Bad
news for the militant wing of the privacy lobby who want to believe that the
Interception of Communications Commissioner is simply an establishment patsy,
an apologist for anything and everything a spook or law enforcement agency wants to get away with.

Sir
Anthony May’s latest annual report lays out more evidence of the independent
and impartial approach that he and his inspectors take on the thorny question as
to what ethical policing means in practice.

Time
and time again, the report points not only to areas that require
remediation, but it also highlights issues where progress has been made, thanks
to recommendations made following earlier inspections.

The militants particularly won't like the next 3 paragraphs, which have been lifted from the report, but I make no apology for reproducing them here:"My inspectors identified
that communications data was frequently relied on to provide both inculpatory
and exculpatory evidence. The communications data acquired revealed suspects
movements and tied them to crime scenes. It often led to other key evidence
being identified or retrieved. Links to previously unidentified offenders and
offences were revealed. Dangerous offenders were located and offences were
disrupted with the assistance of communications data. Patterns of communication
provided evidence of conspiracy between suspects. The data highlighted
inconsistencies in accounts given by suspects and corroborated the testimony of
victims. The data determined the last known whereabouts of victims and persons
they had been in contact with. Similarly, communications data assisted to
eliminate key suspects or highlighted inconsistencies in accounts given by
victims. [7.65]

In a couple of the
operations examined the inspectors concluded that there were potentially gaps
in the acquisition process where the investigation teams had not identified the
full range of data necessary to achieve the objective. This failure to identify
relevant data may adversely impact on the ability to, for example, corroborate
the account given by a witness, corroborate the testimony and / or determine
the last known whereabouts of a victim or properly determine the role of a
suspect in a crime or indicate their innocence. This may present the
acquisition process as arbitrary and serious implications could result. This is
an area in which it is important for the SPOCs to engage with the applicants to
develop strategies to ensure that the appropriate data is sought to fully
achieve the investigative objective. [7.66]

In the operations where
large elements of the offences, if not all the offences, took place within a
‘virtual world’ e.g. some of the fraud and sexual offences, the requirement for
communications data was ever more apparent. It was also apparent from these
operations that as technologies have developed police forces and law
enforcement agencies have increasingly looked at a wider range of technologies
to investigate offences. The inspectors noted that in relation to the
investigation of serious and organised criminals, the increasing tactical
awareness of criminals means that a larger amount of data, on a potentially
wider range of devices and individuals, has to be acquired to meet operational
objectives which may have been more simply achieved in previous years. [7.67]

The
report also criticizes institutions that have ignored past
recommendations:

"Last year I made the point that the numerous policy documents
governing the interception of prisoners communications were fragmented, overlapping
and contradictory in places and that this made it difficult for the prisons
themselves to understand the requirements fully and for our inspectors to
conduct the oversight. I am disappointed that there has not been any progress
on these matters. I reiterate that NOMS must get to grips with these issues and
put in place clear and defined policy and risk assessment documents for the
interception of prisoners’ communications. Our experience shows that the
prisons are trying extremely hard to comply with the various policies in this
area, but they are in need of clear direction and better quality policy." [p.87]

Interestingly, while SPOCs
in general are highly thought of, the report focuses its criticism on some
Professional Standards departments (the teams that investigate investigators), where
poor practices prevail:

"The inquiry found that an
excessively high number of the applications submitted by Professional Standards
departments were completed to a poor standard and did not adequately justify
the necessity and proportionality justifications. In a number of applications
the criminal allegation or the criminal offences suspected were not set out or
there was no description as to how they were linked to, and aggravated by, the
officer’s misuse of a position in public office. The applications often relied
upon vague and dubious descriptions under the ‘umbrella’ of misconduct in public
office and my inspectors were not satisfied that the high threshold for the
offence of misconduct in public office had been met. There did not appear to be
any intention for some of the matters to be subject of a prosecution within a
criminal court. Turning to proportionality lengthy periods of traffic or
service use data were often sought without sufficient justification and it was
not clear whether other lines of inquiry had been considered and if so why they
had not been pursued. For example, a number of the applications concerned
investigations into officers forming inappropriate relationships with victims
of crime. Whilst in some cases the circumstances may justify that it is
reasonable to suspect serious inappropriate activity was taking place, for example,
the formation of sexual relationships with vulnerable victims; some of the
applications examined detailed fairly minor transgressions and did not identify
whether serious wrongdoing was suspected, or failed to give convincing reasons
to suspect that serious wrongdoing was occurring. In these applications it was
also not apparent why other action, such as intervention by the officer’s
supervisors or misconduct interviews were not considered, or if they had been
why they were not deemed appropriate. In such cases my inspectors concern was
exacerbated where there appeared to be little resolve to subsequently pursue a
prosecution when evidence was acquired which supported the initial premise of
the application." [7.81]

Strong stuff.

However, these criticisms
should be read in their context. They should not detract from the
Commissioner’s conclusion that, overall, "my office’s inquiries did not find significant
institutional overuse of communications data powers by police forces and
law enforcement agencies. … However, my office did find that a proportion of
the applications did not adequately deal with the question of necessity or
proportionality and we found some examples where the powers had been used
improperly or where they had been used unnecessarily. Overall the operational
reviews showed that the communications data that was acquired was necessary and
proportionate to the matter under investigation." [7.94]

So, we won’t be hearing
much from the militant wing of the privacy lobby about this report because,
frankly, there’s not much for them to complain about.

The more independently
minded privacy advocates will probably take some comfort from the report – both
in learning how RIPA (and DRIPA) actually work in practice, and in realising
what a world-leading supervisory system the UK actually has.

Thursday, 12 March 2015

The
law enforcement community’s response to the question of how the internet should
be policed continues to raise a number of significant questions. And it’s
leaving some representatives from academia and civil society in a bit of a
bind.

Paul
Bernal’s recent blog on a meeting organised by the Association of Chief Police
Officers on this issue touched on some of these questions. The feedback he’s received
is quite revealing.

One
respondent was unhappy that various stakeholders had agreed to meet ACPO in the
first place. They commented that “real debate
between those who disagree on the deepest philosophical and ‘legal’ in the
broadest sense matters, is hardly likely to take place at an event organised by
(and ultimately for) law enforcement/the state.”

I don’t agree.

Its important for all responsible stakeholders to feel that
their voices can be heard in a debate where everyone accepts that what is
required is policing by consent. At issue is what everyone (or almost everyone)
is capable of consenting about.

With new legislation focusing on how communications data should
be retained and used for law enforcement purposes on the horizon, its essential
that the Home Office and other interested parties consult as widely as is
practicable in order that, when the proposals are presented to Parliament,
politicians won’t need to criticize the measures on the grounds that
insufficient consultation has taken place.

The dilemma for the representatives from academia and civil
society is that, by becoming more aware of the practical problems facing the
law enforcement community, they may feel encouraged to support pragmatic
proposals that many people would shy away from. So do they risk being
ostracized from their more radically-minded colleagues, whose views on issues related
to communications data retention are not formed from any significant experience
of the distress felt by victims of serious crime, who care less about the
techniques used to deliver justice to serious criminals?

Academics and civil society campaigners that want to be reminded
of the perils of being associated with a “bad” initiative only need think back
to the manner in which Simon Davis from Privacy International was pilloried by
some of his contemporaries when his independent research found that, actually, the Phorm initiative wasn’t quite as awful as its critics had wanted it to be.

It’s hard to remain dispassionate and neutral about such issues,
and there will always be accusations that various academics have been captured
by the law enforcement community if they indicate that they support proposals
that benefit the law enforcement community. After all, who wants to make crime
fighting easier …

Responsible academics ought to remain engaged with the
policymaking process, and express their views from within the tent. It would
never be appropriate (nor has it yet happened, to my knowledge) for an academic
to take comfort in grandstanding from a distance, or causing so much fuss at
meetings that when they threaten to eject themselves from the meeting, their
offer is gratefully accepted.

About Me

I'm Martin Hoskins, and I write this blog to offer somewhat of an irreverent approach to data protection issues. I'm not one of the "high priests" of data protection. I prefer the principles of transparency, fairness, practicality and risk-assessment over tedious technical dogma. In my view, when the law is unfair or impractical, it should be queried.
While I may, occasionally, gently criticise various organisations with which I am or have been associated, I write here in an entirely personal capacity. My comments should never be taken to represent anyone else's views about any of the pressing issues of the day.
There is a much more serious side to my privacy consulting work, but for that you'll need to contact me at Grant Thornton UK LLP, where I'm an Associate Director, leading the UK privacy practice.
I tweet as @DataProtector.
You can contact me at:
martin.c.hoskins@uk.gt.com, or (with respect to my less serious posts) info@martinhoskins.com.